Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
While the zero trust approach to security continues to gain traction with customers, the concept is increasingly being misapplied by “legacy” cybersecurity vendors, Zscaler CEO Jay Chaudhry told VentureBeat.
Chaudhry, who founded the company in 2007 and took it public in 2018, said in an interview that he’s been unhappy to see some vendors claiming their network security offerings enable zero trust.
“Either you’re zero trust or you’re network security. You don’t do both,” Chaudhry said.
True zero trust involves connecting users directly to applications without going over the network at all, he said. And that type of architecture “is the opposite of network security,” Chaudhry said.
When it comes to the zero trust concept, “legacy companies have hijacked the term,” he said. “It has lost its meaning.”
Zscaler has continued to find strong demand for its zero trust offerings: Revenue for the company’s first fiscal quarter of 2022 surged 62% to $230.5 million–marking an acceleration from the previous quarter, when revenue jumped 57%. The vendor is now generating more than $1 billion in annual recurring revenue, and counts 35% of the Fortune 500 in its customer base, with more than 5,600 customers in all.
At the core of the company’s products is its Zero Trust Exchange, which combines a cloud-based secure web gateway with cloud-delivered zero trust network access (ZTNA) – ultimately ensuring that only authorized users can connect to applications. The approach is described as “zero trust” because it essentially assumes that users are unauthorized, and requires more proof of their legitimacy than traditional methods.
To do this, Zscaler’s Zero Trust Exchange considers additional factors beyond just authentication of identity, such as the user’s location, security posture of their device, and the application or data they’re trying to access.
With this stronger approach to verification, Zscaler says its Zero Trust Exchange prevents unauthorized users from accessing applications–and prevents lateral movement by attackers since they can’t even enter the network in the first place.
With Zscaler’s platform, “your applications are hidden behind us,” Chaudhry said. “This is totally opposite of firewalls and VPN and network security.”
Breaches such as the Colonial Pipeline ransomware attack have shown that standard network security tools such as VPNs can be “dangerous,” he said. And yet, Chaudhry said he’s now seeing vendors that claim to offer “zero trust network security.”
“Either you’re zero trust or you’re network security. You don’t do both,” he said. “Your firewall is designed as a network device. The architecture has to be opposite [from zero trust]. There’s no such thing as a ‘zero trust firewall’–they don’t go together.”
The company has two main products: Zscaler Internet Access brings a zero trust approach for securing access to the web and software-as-a-service applications, while Zscaler Private Access covers access to a company’s private applications. Both go through the Zero Trust Exchange. In 2021, Zscaler expanded its offerings to provide zero trust for workloads.
“Just like users need to access applications, applications need to access applications–workloads need to access workloads,” Chaudhry said. “So that’s a new offering we brought to the market, and there’s tons of interest in it. I don’t even know anyone offering zero trust workloads at this stage.”
An illustration of Zscaler’s approach can be seen in how it’s protected customers from exploits of the remote code execution vulnerability in Log4j, he said. The vulnerability, disclosed in December, has affected a broad swath of enterprise applications and is considered trivial to exploit.
The flaw is the “most dangerous vulnerability” imaginable – but Zscaler customers have benefited from keeping their applications hidden by the Zero Trust Exchange, Chaudhry said.
“I had a number of customers who reached out to me and said, ‘Thank God I am hidden behind Zscaler. I need to patch my systems, but I’m not sweating. I have time to patch them, because they can’t be discovered and seen from the internet,’” he said. “So the faster the market embraces zero trust, the safer we will get.”
What follows is an edited portion of the interview with Chaudhry.
What’s your message on why zero trust security is so important for customers to focus on?
Zero trust is the architecture that’s more badly needed in cybersecurity than anything else out there. I’ve been excited to see that it’s picking up. But I’m very disappointed to see that the term has become a buzzword. Legacy companies have hijacked the term. It has lost its meaning. The whole thing started with zero trust network access. The notion was, do not put users on the network–because if you do, they can move laterally and go anywhere. And that’s the biggest security risk today. If you look at Colonial Pipeline, they stole some VPN credentials, got on the network, moved laterally, found a high-value billing application–and then encrypted it and stole the data. It highlighted two things. It highlighted the notion that VPNs [can be] dangerous–dangerous because they put you on the network, and then you can move laterally. So the notion [of zero trust] was, connect users to applications–just applications, not to the network.
What are the legacy vendors claiming is zero trust, but really isn’t in your view?
A few weeks ago, this vendor said, “We are the best zero trust network security vendor.” Either you’re zero trust or you’re network security. You don’t do both. Your firewall is designed as a network device. The architecture has to be opposite. There’s no such thing as a “zero trust firewall”–they don’t go together …
[With internal applications] we open an inside-out connection, so there’s no outside-in connection allowed. That means your applications are hidden behind us. This is totally opposite of firewalls and VPN and network security.
In 2021, what did you see in terms of customer adoption of zero trust? Did you see a major pickup in zero trust displacing VPN in 2021?
[Zero trust] started replacing VPN in 2020. In 2021, it became more than just a VPN replacement–it became their entire DMZ. Because if zero trust is only [replacing] VPN, then zero trust is too narrow. When customers deploy a zero trust [platform] like Zscaler, they replace all of their old-school appliances. Typically, in the DMZ they’ve got their global load balancers, their DDoS protection, their external layer of firewalls, IPS, and VPNs. With Zscaler Zero Trust Exchange, all of that goes away. We do all of that …
I think zero trust is now driven by every CIO and CISO I talk to. Fifteen months ago, when I talked to CIOs or CISOs, probably a third would say, “Yeah, I’m interested in zero trust.” Now it’s nine out of 10 that would say, “I’m interested, and I have a budget for the project.”
What metrics can you point to around the adoption of zero trust in your customer base in 2021?
We essentially are a zero trust company. We have two main products–Zscaler Internet Access and Zscaler Private Access. Both go through what we call our Zero Trust Exchange. Our revenue last year grew about 56%-57%. Billings were in the 70% range. That’s on a large scale. Our ARR now is over a billion dollars. So to be able to grow at that kind of rate, at a large scale, is proof of the interest in our zero trust offerings.
How do you connect users to applications without going through a network?
I came up with an analogy that people appreciate. So if I come to see you at your headquarters, I come to reception. And they stop me, check my ID, give me a badge. And then they let me go unescorted to Room 22. If they did so, I could go anywhere, to any room that’s open–Room 21, Room 19. I could move to adjacent buildings that are interconnected. That’s exactly what happens when you put people on the network, either by being in the branch office, or by being on a VPN. Not very good.
How do you solve it? Well, borrowing from the same analogy, first of all, you remove the names of the buildings. They can’t even see where you are. You go dark. Two, you remove interconnection. Each building is an independent building. You don’t even know where those buildings are. You come to the reception again, they check your ID and give you a badge. And they’ll say, “you will be escorted to Room 22–and 22 only–after being blindfolded.” You don’t even need to know when the room is. We take you there, the meeting happens–then you get blindfolded and you get escorted out. So the notion is to connect users to applications, not to the network.
The [reason] I’m saying the term is hijacked is that this is the opposite of network security. In network security, users and applications are all secured there on the trusted network. But in [the zero trust] model, it’s the opposite.
For zero trust, what factors do you check before allowing access to applications?
First it’s, who are you? I need to check your identity. If that passes, we check device trust. Can we trust your device? Is it compromised, not compromised, managed, unmanaged? Perhaps I can do a different policy for an unmanaged device, but managed, I can let you go to my crown jewel application. If that passes, we do a security status check. We’re checking for malicious content. We’re checking anomalous behavior of the traffic, to see if a user is doing some crazy thing, and then we can stop them dynamically. If that’s good, we say where are you? We’re checking your destination. We can select which applications they can go to. Some people can only go to SAP, some people can only go to certain sites. If all that is good, then we connect you to the application.
What were the biggest updates for your product portfolio in 2021?
We built zero trust for users [with] our two main product lines, ZIA and ZPA. So as users can access internal or external applications, this has been our flagship product. Then it was natural for us to extend it to zero trust for workloads. Just like users need to access applications, applications need to access applications–workloads need to access workloads. So that’s a new offering we brought to the market, and there’s tons of interest in it. I don’t even know anyone offering zero trust workloads at this stage.
Then Siemens came and said, “This is wonderful, but I want to do the same thing for IoT and OT.” They have lots of plants and factories, lots of these IoT devices, lots of OT systems. And they want to enable them for zero trust. So we have some of the core offerings available [in IoT/OT]. Probably in the next three months, we’ll have the next release coming up with some additional key functions.
What parts of zero trust for IoT/OT are already available, and what’s coming next?
If you look at IoT and OT, they’re two [different] things. IoT collects telemetry and sends information to a data lake. It could be about the health of the system and whatnot. We have our solution available [so that] when IoT devices talk to our cloud, they get connected to the right application. That’s one part. OT is generally the opposite. OT systems are control systems. They could be X-ray machines, could be MRI machines. Or they could be a power plant, and [the customer] needs to access those power plants remotely. Traditionally, they’re done VPN kind of stuff to get there–but they’re worried about it. And they use Zscaler. That’s available today. Now they want next-level functionality–they want session recording, and some of the more sophisticated security [capabilities]. Those things are under development.
Overall, what is 2022 about for Zscaler? What are your big goals and what do you hope to accomplish?
Our primary business is about helping drive customers’ digital transformation. It’s a buzzword, but it’s still a meaningful buzzword. Because everyone starts with transformational applications by embracing SaaS, by embracing Azure, AWS, so they can build and deploy applications at a faster pace. They can use big data lakes for analytics or AI and ML–that’s happening. But once that happens, they must change the network that’s designed as a hub-and-spoke network to come to the data center, which used to be the center of gravity. That needs to go direct, but it can’t go direct unless it’s secure. So security must be changed. Our customers are going through this transformation journey. In 2022, we expect this to be a big year for adoption of zero trust for workloads. Because that’s a relatively new area.
More and more customers this year want to solve the performance problem. Because when something goes wrong, and a user is experiencing slowness, where do you even start? IT has no tools to work with, because all the performance monitoring tools for users sat in the branch and the data center.
At Zscaler, we have a lightweight agent on the endpoint. We take you to the application and back. We actually are sitting in the ideal place, sitting in the data path, to check your end-to-end response time. So we have an offering, called Zscaler Digital Experience, that actually tells you where the problem is and how to go about resolving it. We are seeing a lot of adoption in that area as well. So user performance, [zero trust for] workloads, and some of the IoT/OT areas, are some big growth areas we see.
How does the opportunity around zero trust for workloads compare to the remaining opportunity you have around zero trust for users?
It’s sizable, but it’s also going fast. We did the bottom-up market sizing about eight months ago for our analyst day [looking at] companies with over 2,000 employees. The [total addressable] market for zero trust for the user that we’re pursuing is about $49 billion. The TAM for workloads we are pursuing right now is about $22 billion. So it’s about a $72 billion total market we are pursuing. And we are very much leading – especially on the higher end. You take Fortune 500 companies, and 35% of them are Zscaler customers. And the number is growing pretty well. With Global 2000 companies, we’re over 25%. But there’s still a big market ahead of us.
What are some of the major threats you’ve seen where Zscaler’s zero trust approach has made a difference for customers?
Think of Log4j. It’s the most dangerous vulnerability. You can scan the internet, you can find all kinds of servers, you can find which ones are [vulnerable], and you can get in. Not even a password needs to be guessed. In the case of zero trust, all those applications will be hidden behind [Zscaler Zero Trust] Exchange. I had a number of customers who reached out to me and said, “Thank God I am hidden behind Zscaler. I need to patch my systems, but I’m not sweating. I have time to patch them, because they can’t be discovered and seen from the internet.” So the faster the market embraces zero trust, the safer we will get.